Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix xff trusted hops #37780

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

fix xff trusted hops #37780

wants to merge 1 commit into from

Conversation

zhaohuabing
Copy link
Member

@zhaohuabing zhaohuabing commented Dec 20, 2024
edited
Loading

Commit Message: this PR resolves the issue of incorrect handling of XFF trusted hops, which was inconsistent between the two approaches—OriginalIpDetectionExtension and HCM xffNumTrustedHops—used for retrieving the remote IP from the XFF header. Additionally, the old behavior in the OriginalIpDetectionExtension was also not aligned with the Envoy documentation, which specifies that the original IP should correspond to the rightmost trusted hop in the XFF header.

For example, for a request going thourgh two trusted proxies, like this:

client(203.0.113.128) ----->proxy 1( 203.0.113.10) --------->proxy 2(203.0.113.1)--------> Enovy

proxy1 will add the client ip 92.168.1.1 to the XFF header, and proxy 2 will append it's direct upstream ip 92.168.1.2 to the XFF header. When Envoy finally receives the request, the xff header is X-Forwarded-For: 203.0.113.128, 203.0.113.10.

In this setup, the trusted hops is 2, and the correct client IP is the second rightmost ip in the XFF header 192.168.1.1

More details in the issue: #34241 (comment)

Disclaimer: I may have misunderstood the functionality of HCM xff_num_trusted_hops and the XFF extension. If the current behavior is correct, we would appreciate any assistance in addressing the related issue in Envoy Gateway envoyproxy/gateway#4702

Additional Description:
Risk Level:
Testing:
Docs Changes: No
Release Notes: Yes
Platform Specific Features:
[Optional Runtime guard:]
[Optional Fixes #34241]
[Optional Fixes commit #PR or SHA]
[Optional Deprecated:]
[Optional API Considerations:]

Related Envoy Gateay issue: envoyproxy/gateway#4702

@zhaohuabing
fix xff trusted hops
b957cf4 
Signed-off-by: Huabing Zhao <zhaohuabing@gmail.com>
@zhaohuabing zhaohuabing marked this pull request as draft December 20, 2024 08:53
@zhaohuabing

This comment was marked as outdated.

Sign in to view
@zhaohuabing zhaohuabing reopened this Dec 21, 2024
@zhaohuabing zhaohuabing mentioned this pull request Dec 21, 2024
Draft
@zhaohuabing zhaohuabing marked this pull request as ready for review December 21, 2024 08:28
@rudrakhp rudrakhp mentioned this pull request Dec 21, 2024
Open
@phlax
Copy link
Member

phlax commented Dec 23, 2024

note: envoy maintainers will be mostly on vacation until 6th jan

tests are failing

/wait

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@alyssawilk alyssawilk Awaiting requested review from alyssawilk alyssawilk is a code owner

@mattklein123 mattklein123 Awaiting requested review from mattklein123 mattklein123 is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

@alyssawilk alyssawilk

Labels
waiting
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Thexff_num_trusted_hops in XffIPDetection is not aligned with the doc and the xffNumTrustedHops option in HCM
3 participants
@zhaohuabing @phlax @alyssawilk